Slashdot Log In
Survey Shows Admins Avoiding SP2
Posted by
CowboyNeal
on Fri Apr 15, 2005 04:06 AM
from the untested-waters dept.
from the untested-waters dept.
bonch writes "Tom's Hardware Guide is running an article about Windows XP Service Pack 2 and its limited acceptance by IT administrators. AssetMetrix is cited in the article as reporting that fewer than 24% of over 136,000 Windows XP PCs in 251 North American corporations even had SP2 installed. THG goes on to describe the reasons given by admins and discusses the advantages and disadvantages of installing SP2."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
no comment (Score:5, Funny)
Whoa..first post? (Score:3, Funny)
Re:Whoa..first post? (Score:5, Informative)
I'd like to have the NX bit enabled to improve security, but it's not worth it if it causes so much software to crash. The thing that worries me is that most people wouldn't have a clue about any of this, so would just be stuck with a choice between crashing applications or removing SP2.
Parent
Re:Whoa..first post? (Score:5, Informative)
Yes, it's not 100% perfect. No upgrade ever is. Especially considering the staggering amount of code in XP. But for some of us, it's working just fine.
Kierthos
Parent
Re:Whoa..first post? (Score:4, Funny)
Parent
Don't laugh. Re-installing SP2 may make it work. (Score:5, Informative)
The parent post is moderated as "Funny", but that's what happened to us. We installed SP2 on numerous machines. There were a variety of problems. Re-installing SP2 and rebooting several times often cured the problems. Sometimes it was necessary to reload the entire Windows SP2 operating system.
We troubleshot one of the problems and discovered that SP2 expects that a particular file exists on the target computer, before it has copied that file. So, if the version that was already on the target computer is not recent enough, SP2 will crash. We reported this to Microsoft, but there was only a spacey response, as though confusion reigned. Microsoft did not seem to have the capacity to respond sensibly.
SP2 has numerous fixes for problems with USB 2.0. USB operated much better for us after SP2 was installed.
Microsoft gives us the impression that the company has a sloppy management style supervising coders who are not given enough time to do a good job. If you don't install SP2, you are not giving Microsoft the opportunity to fix some of its bugs. Someone once said that the Microsoft motto was "The whole world is our beta test site." According to that, Windows XP SP2 is just the first release version of Windows XP. We had many, many time-consuming problems with the pre-SP1 version; in our opinion, it was not ready for release; it could be made to work, but it was a time-waster. Maybe it's foolish to believe that two billionaires could care what happens to the less rich.
All of our Microsoft OS computers are now using SP2 with all the most recent critical updates, with no unexplained problems for months.
Be careful with Windows XP updates other than critical updates. Someone made a mistake and updated a computer here recently with a recommended hardware driver. The name of the driver on the Windows Update web site is different from the name of the driver once installed. That computer has never had an "HP wireless keyboard" attached to it.
Parent
I get a funny feeling (Score:3, Insightful)
Simple... (Score:5, Interesting)
Re:Simple... (Score:4, Informative)
It let you open the ports you need, with plenty of warning message of what may/may not happen.
Do more active scanning of the packets coming in and going out for malicious packets.
Windows Firewall is not enough in someways, but too much and not fine grained enough in control in other ways.
Parent
Re:Simple... (Score:5, Interesting)
W2K does everything that we need..... it's more STABLE than XP, and we do not have application incompatability. Hell we can even run some of the old windows 95 apps and DOS apps without problems.
Wanna hear something funnier, for our critical stuff, the servers that make us $10,000 an hour running commercials, still run windows NT 4.0 because W2K is not proven to us to be as stable as NT4 in that specific use on that hardware. Also, cince those servers are on their own protected network any comments of "hax0r3d or own3d" are silly cince the script kiddie will need physical access or capable of tapping a fiber optic line, you can not access it without sitting in one of the data centers or the server locations.
Although the temptation is pretty high on that gear, imagine forcing all the top channels in a community to start playing monty python and the holy grail at midnight.
Parent
Re:Simple... (Score:4, Insightful)
we hire competent people here for IT that know how to maintain a wide range of operating systems. in fact we have never in the past 6 years I have been here called on microsoft for any support, every patch they released usually went through 3 months of intense testing before we ever released one to production servers.....
so in that aspect microsofts "support" costs more than no support.
anyways, a completely insecure computer is very safe if you create your networks and use proceedures that protect the equipment and networks.
Please feel free to tell me how we are going to have HUGE support costs after it EOL's... as we have not seen it for any other OS that is EOL here.
I usually only hear about that support myth from the MS salesmen that show up from time to time.
Parent
Re:Simple... (Score:5, Insightful)
I'm sure your company has strict procedures in place to protect against this sort of thing. However, I do feel the need to point out that, statstically, most security-related incidents are caused by insiders.
A couple of years back when I was still working as an admin I was hired by a company and on my first week there was a security incident. Upon investigation it turned out it was an ex-admin who had installed trojans on many of the servers that he had root access to while he was working there.
Parent
Re:Simple... (Score:5, Informative)
From technet [microsoft.com] article:
See here [lvllord.de] for a fix.
Parent
Not I (Score:5, Interesting)
I finished doing the last update about 3 weeks ago and have not had any problems relating to SP2 yet which is great.
IMO the only negative thing about SP2 is its size/time to install. It has slowed down deployment because of the bandwidth it uses and the the time it takes to install which is a major impact to production, which means it needs to be down out of office hours which means IT support need to work over time, etc.
While deployment of SP2 was tiring and long I would rather got on with it than wait it out like some companies are doing.
Lazy / Time Consuming... (Score:5, Insightful)
Further more SP2 adds LOTS of functionality and changes the behaviour of Windows and thus is extremely likely to break things on a corp. setup.
So I am not at all shocked that network admins haven't all installed it yet.. But I bet you if you changed the survey to - "How many network admins are installing (Via Slipstream) SP2 on new installations?" you would get a very positive and different result.
not accepted or just lazy, unorganized, dumb? (Score:5, Interesting)
Installing SP2 in a large corporate environment is nothing to sneeze at, I agree, but that's no excuse for not patching.
XP SP2 is more like rolling out a new OS (Score:5, Informative)
It's got a lot of strikes against it:
Parent
Re:XP SP2 is more like rolling out a new OS (Score:5, Insightful)
This is fairly normal for a major overhaul of an OS. Delivery dates change. SP2 fundamentally changed many of the ways that XP operates, and, contrary to some opinions, really did raise the bar on Windows security. Besides, the article to which you link was complaining about the delay of a few days from the release to premium subscribers. That's getting a little pedantic.
Lots of apps don't work with XP SP2 [microsoft.com], including some of Microsoft's own
Many of the apps on the list work fine on 32-bit XP SP2, but have problems on 64-bit. Most of the others have patches available to allow them to work fine with SP2. VirtualPC, for example, works at expected speeds when updated.
It's been known to be [crn.com] unstable [crn.com]
I'd like to be able to comment on this, but the article is expired.
Difficult to install [thechannelinsider.com]
Might be interesting to comment on this one, but it, too, is unavailable.
Additions like the firewall have serious shortcomings [eweek.com]
Wow, this is getting to be a trend. However, the Windows firewall was never intended to be an end-all, be-all solution. It was intended to make attacks more difficult by blocking off certain common ports. A middle ground was struck between home and enterprise users (one that was too open, IMHO) that still left some things somewhat open, but it's better than nothing. Had they come out with a miniature version of ISA, we'd have heard shouts (possibly including some from you, I suspect) that Microsoft was trying to put the security companies out of business.
It messes with settings and permissions [theregister.co.uk]
Of course it changes settings, though I saw little about changes to permissions. But that article, while somewhat correct on a few things, misses wide on others. It calls for Automatic Updates to be disabled because "users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system," which we know siginificant portions of the installed userbase do not do, and have no knowledge to do so. It is a mechanism that, while potentially abusable by Microsoft, is by far the lesser evil when compared to worms running rampant because some patch from eight months prior wasn't installed.
Is still vulnerable anyway [eweek.com] in many ways [zdnet.co.uk], and it can take weeks or months to force a repair or even admission.
Microsoft never claimed that SP2 would be vulnerability-free. It claimed that it would be more secure, and generally speaking has been correct in this. Even the patches that have covered both SP1 and SP2 have in many cases had lower severity ratings for SP2.
Doesn't fix or remove MSIE [eweek.com]
Well, they're not going to remove IE, so there's not much point in complaining about that. But whether it fixes it is another question. Are there still vulnerabilities? Sure there are. But while IE still has a good distance to go, IE6 SP2 is far superior to its predecessors in terms of default security and blocking random installations. I have personal clients who were at first annoyed by IE's new features, and in recent months have come to love that it blocks so much (I'm still working on converting some of them to Firefox).
Has DRM features that let spammers 0wn [zdnet.co.uk] the machine
Not sure if this particular issue was ever directly addressed by Microsoft, but since I haven't seen much evidence of this method being used to gather up armies of zombies (most do it by e-mail or open ports), I'm not sure how serious it was to begin with.
Parent
Re:not accepted or just lazy, unorganized, dumb? (Score:4, Insightful)
And yet they've successfully set up those networks in the first place, probably installed numerous other WinXP patches across their networks afterwards, probably installed and configured office apps, corporate database stuff, corporate Intranet stuff, and more.
Really, if installing SP2 from a centralised control point isn't a matter of "Click here" and perhaps fixing some unusual incompatibility problems on a small proportion of machines, then I'm betting it's SP2 (or its installation tools) that is broken, not the IT staff.
Parent
Re:not accepted or just lazy, unorganized, dumb? (Score:5, Insightful)
The survey the article discusses says nothing about why, but apparently THG contacted "some admins in the trenches" who apparently gave some reasons. Of course they don't bother giving numbers of "admins in the trenches" they contacted or any relavent info.
I admin about 500 PCs, and we had NO problems. Granted almost all of the PCs have "standardized" hardware. No, not all PCs and periphials are identical but ALMOST all are from a single vendor (DELL) and have VERY similar hardware. We also have about a dozen standard software builds (with of course a number of one-off builds). We use a decent mix of MS apps, 3-rd party apps, and in-house apps.
The biggest issue we had was help-desk calls about pop-ups or ActiveX controls being blocked by default in IE. Preping for the rollout wasn't a very big task. Took under a week to fully test on standard builds.
I like
Maybe I (and the admins I know) were just "lucky", but based on my experience I have a really hard time accepting the crap I've read about SP2 on
Parent
They have good reasons to avoid SP2 (Score:5, Insightful)
Windows admins have a good reason to be a bit careful here. Windows Service Packs have a long tradition of making systems or applications no longer function. After getting burned a few times, you learn to be careful.
Re:They have good reasons to avoid SP2 (Score:5, Informative)
Parent
Re:They have good reasons to avoid SP2 (Score:5, Funny)
Now only if an IE update would install Firefox.
Parent
Security moanings (Score:4, Insightful)
Re:Security moanings (Score:3, Funny)
Some administrators whine and moan whenever they have to do work.
REAL security... (Score:5, Interesting)
Microsoft has yet to do the right thing. The security community has been beggng them to back out of the tight browser/desktop integration and "security zones" since 1997, and split the rendering and access functionality of the HTML control into separate components so you CAN run a locked-down sandboxed version of Internet Explorer if you want to... but instead Microsoft refuses to admit they made a mistake and patches symptom after symptom instead of attacking the disease.
That's why I, wearing my "security hat", banned all internet-capable applications that used the MS HTML control for rendering... back in 1997. As long as that ban was in effect we had zero virus and security panics, and we were the only division of our company for which that was the case.
The fundamental design of the HTML control is broken and unfixable. THe only solution is to back out of that design at a very low level, and rewrite all the applications that use it to handle access themselves. In 1997 I expected that Microsoft would do that... by now, it's obvious that they won't. They're afraid of losing face.
The right thing, from a security point of view, is to stop using Internet Explorer, Outlook, Outlook Express, Windows Media Player, Realplayer, and all other applications that use the MS HTML control to display potentially untrusted data whether they're shipped by Microsoft or some third party. Microsoft has proven over and over again for the last seven years that there is no other rational course of action.
SP2 and every other "security" patch that Microsoft provides are just smoke and mirrors.
Parent
Re:REAL security... (Score:5, Interesting)
The results? Fantastic. My spyware-ridden network dropped to near-zero in terms of infestation. There is only one machine that still needs MSIE and for that, I taught that user that MSIE isn't really "gone" that she only needs to open an explorer and type in the URL or select a favorite that has been saved. Apparently ADP isn't as security conscious as they are of "ease of use and implementation." (Methinks their in-house developers only know one thing is all. One of these days I'm going to write a scathing message about the company so many depend on for payroll and other critical business functions using something known in the security community to be a huge blazing hole.)
I pray for the day when some really smart person writes replacement code that will allow a complete switchover from MSIE to Firefox -- that would include all of those APIs and things that third-party software uses to activate the MSIE rendering...it would be a good day for all.
Parent
Re:Security moanings (Score:3, Interesting)
Secondly, and more importantly, no application, no matter how it is written, should be able to kill the kernel! That is just ridiculous, and in other circumstances would be referred to as a local denial of service vulnerability.
Please now hit yourself with a clue-stick.
J.
I guess we just have to wait... (Score:5, Funny)
Things shouldn't be this way (Score:5, Interesting)
Network & firewall changes (Score:3, Interesting)
Given that many of the SP2 changes relate to networks and firewalls, the bigger the corporate network the bigger the chance the upgrade will take some time to get working for everyone in a company.
If you are used to fixing problems remotely and the upgrade prevents the problem PC connecting to the network... you see the issue
SP2 soon to be FORCED upon us... (Score:5, Interesting)
So I installed it. It broke SQL Server 2000 because I hadnt patched it (but wrote information to the event log about how to fix it) but apart from that things went well...
Until I tried to run the spidering app Ive been working on at which point I discovered that XP Pro + SP2 = Castrated System! SP2 limits the number of connections pending opening to 10 (down from 50) and provides no way to change this limit!!!! Unimpressed....
Anyways, given that many pieces of software will only run on systems patched to a certain SP level Id expect that it wont take long before its a required upgrade...having to install it for documentation to work though....that rubbed me the wrong way I must say..
Re:SP2 soon to be FORCED upon us... (Score:5, Informative)
Parent
XP SP2 sucks for p2p? (Score:5, Interesting)
To be honest this was the first I heard about it. I just naturally assumed that shareza didn't peform as well as other dedicated P2P software applications. That registery entry seems to be missing and according to what i've read is hard coded in tcpip.sys. I found software to change the number of connections permited in tcpip.sys here [lvllord.de] and it might be covered in XP-antispy [xp-antispy.org] though I've not tested it yet.
In all fairness I have had few problems with XP SP2. Unfortunatly any problem I've had has been hardware related.
Re:XP SP2 sucks for p2p? (Score:3, Informative)
On 98: the limit of available TCP sockets is pretty low, but Windows will tell your program that the call failed. Ok.
On XP SP1: the limit of available sockets is a lot higher. Everything works fine.
On XP SP2: Windows will start _10
They're misstating the facts (Score:5, Informative)
It does not. It limits the number of pending connections. The biggest problem with this in relation to p2p is that clients often report IP/ports that are unreachable due to firewall/NAT. Hit 10 of those and you can't open any more connections for a while. Also very annoying if you hit a web page where the image server is down. 10 images you can't load? Tarpitted. Personally, I've changed this long ago.
Kjella
Parent
SP2 runs fine on my PowerBook :) (Score:5, Funny)
I hardly ever use it, though... except to run Windows Update when a new batch of patches come out.
WI-FI woes (Score:5, Funny)
The bug mentioned in the article, where Windows sets up an ad hoc network on a preferred SSID it can't find, is lethal in a conference network. One fuckwitted XP box stealing the SSID for its ad hoc network can disconnect hundreds of delegates. Any time that you're nearer the XP box than the access point (s.t. the XP box has more signal), your net access is toast, whether or not you're running windows.
I've been at conferences where there were hourly PA-broadcasts begging XP users to turn off their ad-hoc networks. If you have XP SP1 on-line at a conference, then you should expect to have your laptop pounded into fragments by angry geeks. They will be justified.
Say what? (Score:5, Insightful)
So, if Microsoft force you to upgrade to SP2 to reduce the number and chances of a compromised PC it's bad because they're forcing you.
If Microsoft don't force you to upgrade then it's bad because they're not being proactive enough in reducing the number and chances of a compromised PC.
Must be great to be a decision maker at Microsoft where whatever choices you take it won't be liked.
Bottom line (Score:5, Insightful)
When new programs come out that require SP2 (like the upcoming IE7), it will be too late to start thinking about an upgrade... If it breaks your 5-year-old applications, replace them.
If your internally-generated code isn't ready, fix it.
If you can't cope with the lame Window Firewall, RTFM to customize or disable it.
How long before the legal or finance departments need to use a business-critical Web site that requires IE7 for access?
Re:Bottom line (Score:5, Interesting)
You say that like that's a bad thing.
How long before the legal or finance departments need to use a business-critical Web site that requires IE7 for access?
I don't know, you tell me: how long before some criminally stupid web developer creates a business-critical website that requires a specific version of a browser to even work? Not just "doesn't work on Firefox" (which is already in the "criminally stupid" department) but "doesn't work on recent versions of Internet Explorer"? Yes, I know, that's already happened... but in my case it was a website that didn't work on anything later than IE 5.5. Or older, either. Basically, Doctor Evil, this is a sword that cuts both ways.
Parent
SP2 caned all our UNIX interoperability (Score:5, Interesting)
Here's a review of how it performs (Score:3, Informative)
Re:Duped article... (Score:3, Funny)
Re:Its not flaimbait.. Plz dont on me (Score:4, Interesting)
Now windows installers are huge. But at least it's usually just a case of downloading and running setup.exe and all is done done for you.
Parent
Re:SP2 is useless (Score:3, Insightful)
SP2 isn't useless, it is manditory, but a serious pig to apply in the corporate environment. You are short sighted to think otherwise.
How to Kill XPSP2 Security Center Pop-Ups (Score:3, Informative)
2. On the left side of the Security Center window, locate and click the "Change the way Security Center alerts me" link.
3. In the "Alert Settings" window that appears, uncheck any/all the warnings you no longer want to have pop-up when you log in.
4. Click the OK button to save your changes.
Re:Applications (Score:4, Interesting)
Some new client software that one acquaintence is being pressured to look at by her current vendor doesn't work at all under SP2. The soon-to-be-discontinued client works just fine since it's accessed via a terminal emulator and can therefore be accessed from any platform with a terminal emulator. The new one can't. Nor does it function under XP SP2.
If the vendor came out with a linux or bsd port for the new client then she could forget about MS-Windows altogether and wouldn't have to have those machines set up for dual boot. But then that would make sense.
Parent
Re:Applications (Score:3, Funny)
Re:You mean I cant use Semagic anymore??? (Score:4, Insightful)
The programs on the list are WORRYING the admins who are running custom software, legacy compatibility programs, specialised software.
I work for some schools in a London borough who have to make all financial arrangements over a program called SIMS which, last time I looked, was actually some sort of DOS-based program. It's had upgrades since but it still relies on communicating with the borough's financial systems which do not run on Windows but communicate over some sort of terminal interface. There were known incompatiblities with SP2 and this software because of the way it uses the network to communicate.
You upgrade and break that, the school can't pay their staff, buy products, organise mid-day catering or pay any suppliers. Because there is a policy of keeping all machines at the same patch level to prevent incompatibilities, the curriculum network (i.e. where the kids play) also cannot be upgraded until the incompatibilities are solved.
Therefore, 30-odd computers are forced to stay at SP1 because of the most important app in the school, which EVERY school in the borough runs (17 of them, I believe). That's getting into nearly a thousand computers all told that are hung up by an incompatibility with one program that's been running fine for YEARS.
You think MS know or care about a package that a London school uses on one machine in each school? No, so it's not on their incompatibility list. The point is that SP2 causes problems, especially with programs that use networking, that can only be found by testing. If the test fails, you have to wait for a fix from the vendor or make one yourself. In the meantime, you have to hold off on SP2.
Parent